Thanks for sharing Julian! Do we *need* to respond to security issues that are uncovered? I certainly agree that we *should* if at all possible. But by choosing not to participate, we would be choosing not to respond to *all* security issues that might only be uncovered via fuzzing. It seems reasonable to me (assuming any discovered vulnerabilities can be kept private), that we should be free to ignore issues that are uncovered.
-- Michael Mior [email protected] On Fri, Jun 16, 2023 at 2:31 PM Julian Hyde <[email protected]> wrote: > Someone from Google logged a case offering to add Calcite to the > OSS-Fuzz program. (I work for Google but was not aware that we were > being considered.) > > https://issues.apache.org/jira/browse/CALCITE-5781 > > How do people feel about participating in this program? > > I think that it could improve our security significantly, but it will > take work. The fuzzer might generate a lot of false negatives. It > might also generate quite a few genuine security issues that we will > need to respond to appropriately. As an all-volunteer project it might > put a strain on us. > > Julian >
